AML
April 8, 2026
4:07 pm

What Is AML Compliance and How Does It Affect Cyprus Businesses

AML refers to the collection of laws, internal controls, and reporting mechanisms designed to stop the illegal flow of funds through legitimate commercial channels. At its core, the framework exists to prevent criminals from disguising the origins of illicitly obtained wealth, whether it stems from fraud, corruption, drug trafficking, or tax evasion.

But why should this matter to someone forming a company? Because the moment you register a legal entity in any jurisdiction, that entity becomes a potential vehicle for moving capital. Regulators across Europe, and certainly on the island, expect every new enterprise to be vetted before it can open a bank account, appoint directors, or begin trading.

AML compliance aims to protect not only financial institutions but also the broader economic environment from exploitation. The scope covers everything from customer identification to ongoing transaction monitoring. The simplest way to think about it: if your firm touches other people’s capital, or if professionals provide services to your firm, somebody in that chain has a legal duty to verify who you are and where your funds originate.

The Legal Framework Behind the Island’s Approach

Cyprus has implemented a layered regulatory structure to tackle illicit financial activity. The primary piece of legislation is the Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007 (Law 188(I)/2007), as amended. This statute transposes the EU’s Fourth and Fifth Anti-Money Laundering Directives into local law while incorporating recommendations from the Financial Action Task Force (FATF).

Several key elements define this legal architecture:

Law 188(I)/2007 criminalises the laundering of proceeds from predicate offences, including terrorist financing
Cyprus’ AML law prohibits forming a business relationship without applying prescribed identification, record-keeping, and internal reporting procedures
The legislation extends to all obliged entities, from banks to accountants and trust service providers
Terrorism financing is a serious offence under the same statute, carrying severe criminal penalties
A person knowingly involved in laundering can face up to 14 years’ imprisonment or a fine of up to EUR 500,000, or both

In August 2024, the Cyprus Securities and Exchange Commission (CySEC) published Directive R.A.D 282/2024. This CySEC directive updated requirements around electronic verification, identification document standards, and adverse media monitoring, bringing clarity to areas that had been ambiguous for years.

Then, in May 2025, the Central Bank issued its own AML/CFT Directive (K.D.P. 120/2025), effective from 2 June 2025. That directive strengthened governance mandates for boards and compliance officers, prohibited the complete outsourcing of such functions, and enabled proportional, risk-based reviews rather than rigid schedules.

More recently, legislation restricting cash transactions above EUR 10,000 was passed, bringing the country in line with EU Regulation 2024/1624. Any transaction exceeding that threshold must now use traceable financial methods.

Who Qualifies as an Obliged Entity

Not every firm bears direct AML duties, but the list of those that do is extensive. Under the current rules, the following must apply to customer verification and reporting obligations:

Credit and financial institutions, including banks and payment firms
Investment firms and fund managers regulated by CySEC
Auditors, tax advisors, and certified public accountants
Legal practitioners
Trust and company service providers
Real estate agents
Crypto-asset service providers (CASPs), now classified as financial entities following the 2025 amendments

Even if your company is not itself an obliged entity, the professionals you work with, your bank, your auditor, your corporate service provider, all carry these duties. That means your company will be subject to their verification processes before they agree to act on your behalf.

Due Diligence: What Gets Checked and Why

When you set up a new entity on the island, one of the first steps is to provide documentation to help service providers detect money laundering and confirm the legitimacy of the proposed arrangement. This process, commonly known as Know Your Customer (KYC), is not merely a formality.

For individuals behind the structure:

A valid passport or national identity card
Proof of residential address dated within three months (a utility bill, bank statement, or government letter)
Professional reference or curriculum vitae
Evidence demonstrating the source of wealth and origin of funds

For corporate shareholders or parent entities:

Certificate of incorporation issued within six months
Memorandum and articles of association
Register of directors and shareholders
A beneficial ownership chart showing the ultimate natural persons who own or control the entity
Board resolution authorising the new relationship
KYC documentation for each natural person behind the corporate chain

Banks have become particularly strict since the sector’s major de-risking exercise in 2014. Opening a corporate account for a new structure can take 2 to 6 weeks, or longer if the ownership chain spans multiple jurisdictions.

Enhanced Checks for Higher-Risk Situations

Standard due diligence is sufficient for straightforward arrangements. Certain circumstances, however, trigger enhanced procedures requiring additional documentation and deeper scrutiny:

Politically exposed persons (PEPs) among the shareholders or directors
Shareholders from jurisdictions on the EU’s high-risk third country list
Complex or opaque ownership structures
Unusually large or irregular suspicious transactions that lack a clear economic rationale

Both the 2024 CySEC directive and the 2025 Central Bank directive make clear that enhanced checks are mandatory, not discretionary, in higher-risk scenarios.

Regulatory Authorities and Their Responsibilities

Understanding which body oversees which function matters when structuring a new entity and selecting professional advisors. The regulatory landscape involves several distinct institutions:

Authority	Primary Responsibility
Central Bank of Cyprus	Supervises banks, payment institutions, and electronic money issuers; issues AML directives for the financial sector
CySEC	Regulates investment firms, fund managers, and CASPs; enforces AML rules within the securities sector
MOKAS (Financial Intelligence Unit)	Receives and analyses suspicious transaction reports; coordinates with law enforcement domestically and internationally
Registrar of Companies	Maintains the beneficial ownership register; enforces UBO reporting requirements
ICPAC	Oversees accountants and audit firms for AML compliance
Cyprus Bar Association	Ensures lawyers meet their anti-money laundering duties

MOKAS plays a particularly central role. Whenever an obliged entity identifies a suspicious activity pattern, it must promptly file a report with MOKAS. After submission, the entity must follow any instructions given, including whether to proceed with, delay, or suspend a particular transaction. The law protects reporters from contractual liability when acting on MOKAS instructions.

In March 2024, the country signed a memorandum of understanding with the United States specifically targeting illicit financial flows. This notable step in international cooperation signals the jurisdiction’s commitment to transparency.

Penalties for Failing to Meet Your Obligations

The consequences of non-compliance are not theoretical. Supervisory authorities have been increasingly active, and CySEC alone imposed fines and settlements totalling approximately EUR 2.3 million in 2025.

Here is what entities and individuals face for various types of breaches:

Criminal penalties for knowingly participating in laundering: up to 14 years’ imprisonment, a fine of up to EUR 500,000, or both
Negligent involvement carries up to 5 years’ imprisonment or a fine of up to EUR 50,000
Supervisory authorities can impose administrative penalties reaching EUR 1,000,000 under Article 59 of the AML law
Licence suspension or revocation for regulated firms
The National Sanctions Implementation Unit (NSIU), expected to be fully operational by the end of 2025, can impose fines of up to EUR 100,000 plus EUR 100 per day for ongoing violations
Beneficial ownership register non-compliance attracts EUR 100 on the first day, EUR 50 for each subsequent day, capped at EUR 5,000
The Registrar can initiate strike-off proceedings against persistently non-compliant entities

Beyond monetary consequences, reputational damage is the most lasting impact. A firm flagged for AML failures will struggle to maintain banking relationships, attract investors, or retain professional service providers. Corporate entities found guilty of laundering also face temporary or permanent exclusion from public tenders, grants, and allowances, as well as potential bans on commercial activity.

How These Rules Affect New Company Formation

For anyone looking to register a business on the island, the practical effects of AML regulations are felt immediately. You cannot complete the formation process without satisfying the KYC requirements of your service provider, and you certainly cannot open a bank account without producing detailed documentation.

Here is what the typical process looks like:

Your corporate service provider collects identity documents, source of wealth evidence, and a description of the intended activities
The provider conducts screening against sanctions lists, PEP databases, and adverse media sources
A risk assessment categorises the proposed relationship as standard or elevated
If approved, the provider proceeds with incorporation at the Registrar of Companies
The entity’s beneficial owners must be registered in the electronic Beneficial Ownership Register
Bank account opening involves a separate, often more intensive, round of documentation and verification
Annual confirmation of UBO details is mandatory, with the next cycle running from 1 October to 31 December each year

The entire onboarding process can take several weeks. Firms with straightforward structures and clear documentation typically move faster than those with multi-layered ownership or connections to jurisdictions perceived as higher risk.

It is worth noting that Cyprus, which applies these procedures rigorously, is doing so not out of bureaucratic habit but because the regulatory environment demands it. The jurisdiction has invested heavily in rebuilding its reputation following the 2013 banking crisis and the subsequent closure of its citizenship-by-investment programme in 2020.

What Ongoing Compliance Looks Like

Formation is only the beginning. Once your entity is operational, several continuing duties apply:

Annual audited financial statements prepared under IFRS and filed with the Registrar
Ongoing transaction monitoring by your bank and service providers to detect unusual patterns
Periodic review and updating of customer files and risk profiles
Staff training on AML procedures for any employees handling client funds or sensitive data
Filing of suspicious activity reports with MOKAS whenever warranted

The point that catches many people off guard is the annual UBO confirmation. Even if nothing changes in your ownership structure, you must still log in to the government portal and confirm that the details remain accurate. Missing this step triggers escalating daily penalties.

What Comes Next: EU Reforms on the Horizon

The regulatory environment is not standing still. The EU adopted a major AML legislative package in May 2024, consisting of four instruments that will reshape how every member state approaches these issues:

The AML Regulation (Regulation (EU) 2024/1624), a directly applicable rulebook that will coordinate customer verification, risk assessment, and beneficial ownership transparency requirements across all member states from 10 July 2027
The Sixth AML Directive (Directive (EU) 2024/1640), which member states must transpose by the same date
The establishment of the EU Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt, which commenced operations on 1 July 2025 and will begin directly supervising at least 40 high-risk cross-border financial entities from January 2028
Revised rules on information accompanying transfers of funds and crypto assets have been in effect since December 2024

For businesses operating on the island, these changes mean that the current national framework will gradually give way to a more uniform European standard. The AML Regulation will directly replace many provisions of national law, reducing divergence between member states and closing gaps that have been exploited in cross-border schemes.

AMLA’s arrival is particularly significant. Once fully operational, it will issue binding technical standards, coordinate national supervisors, and take direct enforcement action where needed. This represents a meaningful change from the current model, where oversight sits almost entirely at the national level.

The practical takeaway? If your compliance framework meets current AML requirements, you are well-positioned. But the bar will rise, and firms that do not adapt will face increasing pressure.

Working With a Trusted Advisory Firm

Handling these requirements alone is possible, but rarely practical. The documentation burden is substantial, regulations change frequently, and the consequences of getting it wrong are severe.

C. Savva & Associates supports clients through every stage of the AML onboarding process, from initial customer identity verification and source of wealth documentation to beneficial ownership registration and ongoing compliance monitoring. The firm holds a licence from the Cyprus Registrar of Companies and the Cyprus Securities and Exchange Commission, ensuring that the guidance you receive meets current regulatory standards.

C. Savva & Associates is not a law firm. For matters requiring legal expertise, the firm works with its partner law firm, Nicholas Ktenas & Co., LLC, which provides legal counsel in corporate and commercial law, banking and finance, data protection, intellectual property, employment law, and trusts.

Frequently Asked Questions

Is Cyprus a high-risk country in AML?

No, the island is not classified as a high-risk jurisdiction by FATF or the EU. MONEYVAL, the Council of Europe’s assessment body, has been monitoring its progress through enhanced follow-up since 2019. By its fourth enhanced follow-up report in 2025, the jurisdiction achieved Compliant or Largely Compliant ratings on 37 out of 40 FATF Recommendations. A sixth-round mutual assessment is scheduled for October 2028. The enhanced follow-up status reflects ongoing monitoring rather than designation as a problematic territory. Notably, the country has never appeared on the FATF grey list.

What is the meaning of AML compliance?

AML compliance refers to the policies, internal controls, and reporting mechanisms that organisations must maintain to detect and deter the movement of funds obtained illegally. It covers identity verification, ongoing transaction monitoring, screening against international watchlists, and filing reports with the relevant financial intelligence unit. For regulated entities on the island, these duties are prescribed under Law 188(I)/2007 and enforced by sector-specific supervisory authorities. Failing to maintain adequate controls can result in criminal prosecution, substantial fines, or licence revocation.

Is there money laundering in Cyprus?

Like any international financial centre, the jurisdiction faces exposure to illicit capital flows. Its geographic position between Europe, Asia, and Africa creates both opportunities and vulnerabilities. The 2021 National Risk Assessment identified sectors, including real estate, professional services, and corporate structures, as presenting elevated exposure. However, the country has responded with significant legislative reforms, strengthened enforcement, and deeper international cooperation, including a 2024 agreement with the United States specifically targeting illicit financial activity and related CTF regulations.

What can happen if a company fails to comply with AML regulations?

The consequences range from administrative fines, which can reach EUR 1,000,000 under current law, to criminal prosecution of responsible officers. Supervisory bodies may suspend or revoke operating licences, and the Registrar of Companies can strike off entities that persistently fail to comply with beneficial ownership reporting duties. In 2025, CySEC imposed fines and settlements totalling approximately EUR 2.3 million. Beyond formal penalties, non-compliant firms typically lose access to banking services and face lasting reputational harm that affects their ability to attract investment or retain clients.

Get Guidance From Experienced Professionals

If you are forming a new entity on the island or need to review your existing compliance framework, C. Savva & Associates can help. Reach out to the firm’s team in Nicosia to discuss your situation and receive tailored support to ensure your operations remain compliant with current regulations.